Kerberos and Share issues - JAMF Connect

New Contributor

Hello all. Just for some context, I'm Alex, and I work at a school in the UK. We are currently in the process of setting up JAMF Pro and JAMF connect, and we are running into trouble around DFS shares and Kerberos. Are AD domain is school.local, and are azure AD  is, and we are currently not getting Kerberos tickets,. In the JAMF connect logs, I get a kerberos authentication error, OffDomain. So I am wondering if this has anything to do with the domain names not matching and wondering if anyone else has had similar issues and how you've gotten around it? Just to clarify, I can ping the domain from my test Mac, and kinit gives a manual Kerberos ticket. Also, the next question... We have DFS shares for our home folders in AD, and all our other shares are DFS. I'm desperately looking for some way of mounting these shares, based on user groups etc. If certain user is in particular group, mount this share for them, etc. And as well while having home folders mounted over DFS. I know this isn't officially supported by JAMF connect, but changing our AD to try and not use DFS is a root that I don't think my boss will be too happy to go down... I've looked into the JAMF nation mount network shares script on GitHub, but I am thinking that may run into issues as I'm not sure how JAMF connect pulls AD groups so we can attempt to modify that script. And the best thing overall, I somehow have to try and fix all this by the end of the week to integrate our Macs into JAMF connect by the end of the week. I've contacted JAMF support, and I have a case in progress. Also, for some context, I'm pretty new to the JAMF mac admin stuff, but have been doing Windows administration for a few years now. Thank you all for any help, and sorry for the long post... 


Contributor II

I dont think your kerbros ticket from azure will work with your on prem shares. You could and add a Kerberos single sign-on extension:

put the realm as school.local, and under host put the extention for your dfs share. If it detects the network it will prompt the user for there creds, and should sync a token from your on prem domain controllers

New Contributor

Hi and thanks for your reply.

When implementing this, I get prompted for my Domain creds, and when running klist, and accessing ticket viewer, I have a valid ticket.

However, the Finder still prompts for domain creds when attempting to mount the DFS share. For the profile I have the SSO payload configured, with Kerberos selected, and  have SCHOOL.LOCAL as the realm, and for host, I've tried smb://school.local, both upper and lower case, and also just school.local, both upper and lower case. No other settings configured. Any ideas? 😊. Thanks, Alex.